FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS base
# curl is needed by the HEALTHCHECK below. CA certs and ICU are already in the
# aspnet:10.0 image. Trim the apt cache to keep the layer small.
RUN apt-get update \
 && apt-get install -y --no-install-recommends curl \
 && rm -rf /var/lib/apt/lists/*
# Non-root user (security audit F-6 / AZ-518). The aspnet:10.0 image ships an
# `app` user; we only need to create + chown the dirs that get bind-mounted
# from the host so the runtime can write to them.
RUN mkdir -p /app/Content /app/logs \
 && chown -R app:app /app
WORKDIR /app
EXPOSE 8080

FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:10.0 AS build
ARG TARGETARCH
WORKDIR /app

COPY . .
RUN dotnet restore

WORKDIR "/app/Azaion.AdminApi"
RUN dotnet build "Azaion.AdminApi.csproj" -c Release -o /app/build

FROM build AS publish
RUN arch=$([ "$TARGETARCH" = "amd64" ] && echo "x64" || echo "$TARGETARCH") && \
    dotnet publish "Azaion.AdminApi.csproj" -c Release -o /app/publish /p:UseAppHost=false --os linux --arch $arch

# Build runtime
FROM base AS final
ARG CI_COMMIT_SHA=unknown
ARG BUILD_DATE=unknown
ENV AZAION_REVISION=$CI_COMMIT_SHA
LABEL org.opencontainers.image.title="azaion.admin-api" \
      org.opencontainers.image.revision="$CI_COMMIT_SHA" \
      org.opencontainers.image.created="$BUILD_DATE" \
      org.opencontainers.image.source="https://git.azaion.com/azaion/admin"
WORKDIR /app
COPY --from=publish --chown=app:app /app/publish .
USER app
HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
    CMD curl --fail --silent --show-error http://localhost:8080/health/live || exit 1
ENTRYPOINT ["dotnet", "Azaion.AdminApi.dll"]
